Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

CCNA4E_CH5_STUDY_GUIDE_KEY

advertisement 
CCNA EXPLORATION
ACCESSING THE WAN
Study Guide
Chapter 5: ACLs
5.1.1 Describe port numbers.
0 – 1023 Well Known Ports
1024 – 49151 Registered Ports
49152 – 65535 Private and/or Dynamic Ports
What are some of the well known & registered
Well known:
TCP ports?
21 – FTP (Also Port 20)
23 – Telnet
25 – SMTP
80 – HTTP
110 – POP3
194 – IRC
443 – Secure HTTP (HTTPS)
Registered:
1863 – MSN Messenger
8008 – Alternate HTTP
8080 - Alternate HTTP
What are some of the well known & registered
Well known:
UDP ports?
69 – TFTP
520 – RIP
Registered:
1812 – RADIUS Authentication Protocol
2000 – Cisco SCCP (VoIP)
5004 – RTP (Voice & Video Transport Protocol)
5060 – SIP (VoIP)
What are some of the well known & registered
Well known:
TCP/UDP ports?
53 – DNS
161 – SNMP
531 – AOL Instant Messenger
Registered:
1433 – MS SQL
2948 – WAP (MMS)
5.1.2 Describe packet filtering.
Sometimes called static packet filtering, controls access to a
network by analyzing the incoming and outgoing packets and
passing or halting them based on stated criteria.
At what OSI layer & TCP/IP layer does this
Packet filtering works at the Network layer of the Open
process take place?
Systems Interconnection (OSI) model, or the Internet layer of
TCP/IP.
What does a router use to perform packet
a packet-filtering router uses rules to determine whether to
filtering?
permit or deny traffic based on source and destination IP
addresses, source port and destination port, and the protocol
CCNA EXP 4
CH.5 ACLs
APRIL 2009
How are the rules in the answer above defined?
Describe ACLs.
5.1.3 How does the router apply ACLs?
Does a router filter traffic by default?
What are some guidelines for using ACLs?
Describe the three Ps for applying ACLs on a
router.
What tasks do ACLs perform?
CCNA EXP 4
of the packet.
These rules are defined using access control lists or ACLs.
An ACL is a sequential list of permit or deny statements that
apply to IP addresses or upper-layer protocols. The ACL can
extract the following information from the packet header, test
it against its rules, and make "allow" or "deny" decisions
based on:
Source IP address
Destination IP address
ICMP message type
The ACL can also extract upper layer information and test it
against its rules. Upper layer information includes:
TCP/UDP source port
TCP/UDP destination port
As each packet comes through an interface with an associated
ACL, the ACL is checked from top to bottom, one line at a
time, looking for a pattern matching the incoming packet. The
ACL enforces one or more corporate security policies by
applying a permit or deny rule to determine the fate of the
packet.
No. Without ACLs on the router, all packets that can be routed
through the router pass through the router to the next
network segment.
 Use ACLs in firewall routers positioned between your
internal network and an external network such as the
Internet.
 Use ACLs on a router positioned between two parts of
your network to control traffic entering or exiting a
specific part of your internal network.
 Configure ACLs on border routers-routers situated at
the edges of your networks. This provides a very basic
buffer from the outside network, or between a less
controlled area of your own network and a more
sensitive area of your network.
 Configure ACLs for each network protocol configured
on the border router interfaces. You can configure
ACLs on an interface to filter inbound traffic,
outbound traffic, or both
You can configure one ACL per protocol, per direction, per
interface:
 One ACL per protocol-To control traffic flow on an
interface, an ACL must be defined for each protocol
enabled on the interface.
 One ACL per direction-ACLs control traffic in one
direction at a time on an interface. Two separate ACLs
must be created to control inbound and outbound
traffic.
 One ACL per interface-ACLs control traffic for an
interface, for example, Fast Ethernet 0/0.
 Limit network traffic to increase network
performance.
CH.5 ACLs
APRIL 2009

Provide traffic flow control. ACLs can restrict the
delivery of routing updates.
 Provide a basic level of security for network access.
ACLs can allow one host to access a part of the
network and prevent another host from accessing the
same area.
 Decide which types of traffic to forward or block at
the router interfaces.
 Control which areas a client can access on a network.
 Screen hosts to permit or deny access to network
services. ACLs can permit or deny a user to access file
types, such as FTP or HTTP.
5.1.4 Describe ACLs as they apply to apply to inbound Inbound ACLs-Incoming packets are processed before they
traffic or to outbound traffic.
are routed to the outbound interface. An inbound ACL is
efficient because it saves the overhead of routing lookups if
the packet is discarded. If the packet is permitted by the tests,
it is then processed for routing.
Outbound ACLs-Incoming packets are routed to the outbound
interface, and then they are processed through the outbound
ACL.
What is true about all ACLs?
A final implied statement covers all packets for which
conditions did not test true. This final test condition matches
all other packets and results in a "deny" instruction.
This final statement is often referred to as the "implicit deny
any statement" or the "deny all traffic" statement. Because of
this statement, an ACL should have at least one permit
statement in it; otherwise, the ACL blocks all traffic.
Describe the router logic for an outbound ACL.
Before a packet is forwarded to an outbound interface, the
router checks the routing table to see if the packet is routable.
If the packet is not routable, it is dropped. Next, the router
checks to see whether the outbound interface is grouped to
an ACL. If the outbound interface is not grouped to an ACL,
the packet can be sent to the output buffer.
What are the results of the permit & deny
“To permit" means to send the packet to the output buffer,
statements in outbound lists?
and "to deny" means to discard the packet.
What could one reason be for traffic being
At the end of every access list is an implied "deny all traffic"
unintentionally blocked?
criteria statement. If a packet does not match any of the ACL
entries, it is automatically blocked. The implied "deny all
traffic" is the default behavior of ACLs and cannot be changed.
5.1.5 Describe Standard ACLs.
Standard ACLs allow you to permit or deny traffic from source
IP addresses. The destination of the packet and the ports
involved do not matter. Standard ACLs are created in global
configuration mode.
Explain this example:
The example allows all traffic from network 192.168.30.0/24
access-list 10 permit 12.168.30.0 0.0.0.255
network. Because of the implied "deny any" at the end, all
other traffic is blocked with this ACL.
Describe Extended ACLs.
Extended ACLs filter IP packets based on several attributes, for
example, protocol type, source and destination IP address,
destination IP address, source TCP or UDP ports, destination
TCP or UDP ports, and optional protocol type information for
finer granularity of control. Extended ACLs are created in
global configuration mode.
CCNA EXP 4
CH.5 ACLs
APRIL 2009
Explain this example:
Access-list 103 permit tcp 192.168.30.0 0.0.0.255 any eq 80
5.1.6 What are the two main tasks involved in using
ACLs?
How does a standard ACL work?
5.1.7 Why use named ACLs?
Describe numbered ACLs.
Describe named ACLs.
What numbers are used by AppleTalk? By IPX?
5.1.8 What are the basic rules for the proper
placement of an ACL?
ACL 103 permits traffic originating from any address on the
192.168.30.0/24 network to any destination host port 80
(HTTP).
Step 1. Create an access list by specifying an access list
number or name and access conditions.
Step 2. Apply the ACL to interfaces or terminal lines.
A standard ACL is a sequential collection of permit and deny
conditions that apply to IP addresses. The destination of the
packet and the ports involved are not covered.
A number does not inform you of the purpose of the ACL. For
this reason, starting with Cisco IOS Release 11.2, you can use a
name to identify a Cisco ACL.
You assign a number based on which protocol you want
filtered:
1 – 99 & 1300 – 1999 Standard IP ACL
100 – 199 & 2000 – 2699 Extended IP ACL
You assign a name by providing the name of the ACL:
Names can contain alphanumeric characters
Suggestion: name be written in CAPTIAL LETTERS
Names cannot contain spaces or punctuation & must begin
w/a letter
You can add or delete entries within the ACL
Numbers 600 to 699 are used by AppleTalk, and numbers 800
to 899 are used by IPX.
Every ACL should be placed where it has the greatest impact
on efficiency.
 Locate extended ACLs as close as possible to the
source of the traffic denied. This way, undesirable
traffic is filtered without crossing the network
infrastructure.
 Because standard ACLs do not specify destination
addresses, place them as close to the destination as
possible.
5.1.9 What are some ACL best practices?
5.2.2 What is required in configuring numbered
standard ACLs?
What command defines a standard ACL with a
number in the range of 1 to 99?
What is the maximum number of possible
standard ACLs?
What is the full syntax of the standard ACL?
CCNA EXP 4
You must first create the standard ACL and then activate the
ACL on an interface.
The access-list global configuration command
799:
1 – 99
1300 – 1999
Router(config)#access-list access-list-number [deny | permit |
remark] source [source-wildcard] [log]
CH.5 ACLs
APRIL 2009
Explain the syntax above.
What command displays the current ACLs
configured on a router?
What command removes a standard ACL?
What is the purpose of the remark keyword?
5.2.3 What is a wild card mask?
How do wild card masks use the binary 1s & 0s
as compared to subnet masks?
Wildcard masks use what rules to match binary
1s and 0s?
Why are wildcard masks often referred to as an
inverse mask?
CCNA EXP 4
The show access-list command.
The no form of the access-list command with its number
parameter.
It is used for documentation and makes access lists a great
deal easier to understand. Each remark is limited to 100
characters.
It is a 32-bit quantity used in conjunction with an IP address to
determine which bits in an IP address should be ignored when
comparing that address with another IP address. It is used
when setting up ACLs.
Subnet masks use binary 1s and 0s to identify the network,
subnet, and host portion of an IP address. Wildcard masks use
binary 1s and 0s to filter individual or groups of IP addresses
to permit or deny access to resources based on an IP address.
By carefully setting wildcard masks, you can permit or deny a
single or several IP addresses
Wildcard mask bit 0 - Match the corresponding bit value in the
address
Wildcard mask bit 1 - Ignore the corresponding bit value in the
address
The reason is that, unlike a subnet mask in which binary 1 is
equal to a match and binary 0 is not a match, the reverse is
true.
CH.5 ACLs
APRIL 2009
Describe the following wildcard masks:
0.0.0.0
255.255.255.255
0.0.0.255
Given an IP address of 192.168.16.0 & a
wildcard mask of 0.0.15.255, what are the
results?
Given an IP address of 192.168.0.0 & a wildcard
mask of 0.0.254.255, what are the results?
What is the easiest way to calculate the
wildcard mask?
Describe the keywords host and any in wild
card masks.
5.2.4 How is a standard ACL linked to an interface?
What is the complete syntax for the command
above?
How do you remove a standard ACL?
List the steps to configure a standard ACL
How can you can control which administrative
workstation or network manages your router?
What command restricts incoming and
outgoing connections between a particular VTY
(into a Cisco device) and the addresses in an
access list?
Why is an extended ACL not required to
complete this process?
0.0.0.0: the wildcard mask stipulates that every bit in the IP
address must match exactly. (Match all bits)
255.255.255.255: the wildcard mask stipulates that anything
will match. (Ignore all bits)
0.0.0.255: the wildcard mask stipulates that it will match any
host within the given network.
The first two octets and first four bits of the third octet must
match exactly. The last four bits in the third octet and the last
octet can be any valid number. This results in a mask that
checks for 192.168.16.0 to 192.168.31.0
This shows a wildcard mask that matches the first two octets,
and the least significant bit in the third octet. The last octet
and the first seven bits in the third octet can be any valid
number. The result is a mask that would permit or deny all
hosts from odd subnets from the 192.168.0.0 major network.
By subtracting the subnet mask from 255.255.255.255.
The host option substitutes for the 0.0.0.0 mask. This mask
states that all IP address bits must match or only one host is
matched.
The any option substitutes for the IP address and
255.255.255.255 mask. This mask says to ignore the entire IP
address or to accept any addresses.
Use the ip access-group command.
Router(config-if)#ip access-group {access-list-number | accesslist-name} {in | out}
To remove an ACL from an interface, first enter the no ip
access-group command on the interface, and then enter the
global no access-list command to remove the entire ACL.
Step 1. Use access-list global command to create an entry
Step 2. Use the interface configuration command to select an
interface to which to apply the ACL.
Step3. Use the ip access-group interface configuration
command to activate the existing ACL on the interface.
Restricting VTY access is a technique that allows you to define
which IP addresses are allowed Telnet access to the router
EXEC process. This can be done by using an ACL.
The access-class command in line configuration mode
Filtering Telnet traffic is typically considered an extended IP
ACL function because it filters a higher level protocol.
However, because you are using the access-class command to
filter incoming or outgoing Telnet sessions by source address
and apply filtering to VTY lines, you can use standard ACL
statements to control VTY access.
What is the command syntax of the access-class access-class access-list-number {in [vrf-also] | out}
command?
What is the significance of the in | out
The parameter in restricts incoming connections between a
parameters?
particular Cisco device and the addresses in the access list,
while the parameter out restricts outgoing connections
CCNA EXP 4
CH.5 ACLs
APRIL 2009
What are some considerations when
configuring access lists on VTYs?
5.2.5 How do you use the built-in editing feature for
ACLs?
What is the recommended method for
configuring ACLs?
What are the steps to edit and correct ACLs?
How do you add comments to an ACL?
Where is the comment placed in an ACL?
What is the command syntax to configure a
comment?
Can comments be added to named ACLs? If so,
how?
5.2.6 What are the steps to create a standard named
ACL?
5.2.7 What command displays the contents of all
ACLs?
5.2.8 What is another advantage of using named
ACLs?
CCNA EXP 4
between a particular Cisco device and the addresses in the
access list.
Only numbered access lists can be applied to VTYs.
Identical restrictions should be set on all the VTYs, because a
user can attempt to connect to any of them.
There is no built-in editing feature that allows you to edit a
change in an ACL. You cannot selectively insert or delete lines.
It is strongly recommended that any ACL be constructed in a
text editor such as Microsoft Notepad. This allows you to
create or edit the ACL and then paste it onto the router. For
an existing ACL, you could use the show running-config
command to display the ACL, copy and paste it into the text
editor, make the necessary changes, and reload it.
Step 1. Display the ACL using the show running-config
command.
Step 2. Highlight the ACL, copy it, and then paste it into
Microsoft Notepad. Edit the list as required. Once the ACL is
correctly displayed in Microsoft Notepad, highlight it and copy
it.
Step 3. In global configuration mode, disable the access list
using the no access-list 20 command. Otherwise, the new
statements would be appended to the existing ACL. Then
paste the new ACL into the configuration of the router.
Use the remark keyword to include comments (remarks)
about entries in any IP standard or extended ACL.
The remark can go before or after a permit or deny
statement. You should be consistent about where you put the
remark so that it is clear which remark describes which permit
or deny statement.
To include a comment for IP numbered standard or extended
ACLs use the access-list access-list number remark remark
global configuration command.
For an entry in a named ACL, use the remark configuration
command.
Step 1. Starting from the global configuration mode, use the
ip access-list command to create a named ACL. ACL names are
alphanumeric, must be unique and must not begin with a
number.
Step 2. From the named ACL configuration mode, use the
permit or deny statements to specify one or more conditions
for determining if a packet is forwarded or dropped.
Step 3. Return to privileged EXEC mode with the end
command.
Step 4. Apply the ACL to the appropriate interface.
The show access-lists command.
They are easier to edit. Starting with Cisco IOS Software
Release 12.3, named IP ACLs allow you to delete individual
entries in a specific ACL. You can use sequence numbers to
insert statements anywhere in the named ACL. If you are
using an earlier Cisco IOS software version, you can add
statements only at the bottom of the named ACL. Because
CH.5 ACLs
APRIL 2009
you can delete individual entries, you can modify your ACL
without having to delete and then reconfigure the entire ACL.
5.3.1 What is an advantage of using an extended ACL You can use extended ACLs For more precise traffic-filtering
vs. a standard ACL?
control.
How many total extended ACLs are possible?
100 to 199 and 2000 to 2699 providing a total of 800 possible
extended ACLs.
How are the filter rules applied when using an
The ACL first filters on the source address, then on the port
extended ACL?
and protocol of the source. It then filters on the destination
address, then on the port and protocol of the destination, and
makes a final permit-deny decision.
How are applications filtered when using an
Using the appropriate port number, you can specify an
extended ACL?
application by configuring either the port number or the name
of a well-known port.
Describe the logical operations that can be used equal (eq), not equal (neq), greater than (gt), and less than (lt)
in extended ACLs?
5.3.2 What is the syntax for configuring an Extended
ACL?
Describe the parameters of an Extended ACL.
5.3.4 What are the steps to create extended ACL
using names?
How do you remove a named extended ACL?
5.4.1 List & describe the 3 categories of complex
CCNA EXP 4
Step 1. Starting in the global configuration mode, use the ip
access-list extended name command to define a named
extended ACL.
Step 2. In named ACL configuration mode, specify the
conditions you want to allow or deny.
Step 3. Return to privileged EXEC mode and verify your ACL
with the show access-lists [number | name] command.
Step 4. As an option and recommended step, save your
entries in the configuration file with the copy running-config
startup-config command.
Use the no ip access-list extended name global configuration
command.
Dynamic ACLs (lock-and-key) - Users that want to traverse the
CH.5 ACLs
APRIL 2009
ACLs.
5.4.2 What is another name for Dynamic ACLs
What are some common reasons to use
dynamic ACLs?
What are some of the benefits of Dynamic
ACLs?
What are the steps to configuring Dynamic
ACLs?
5.4.3 What is the purpose of Reflexive ACLs?
How are Reflexive ACLs applied to an interface?
How are Reflexive ACLs defined?
What are the benefits of Reflexive ACLs?
CCNA EXP 4
router are blocked until they use Telnet to connect to the
router and are authenticated.
Reflexive ACLs - Allows outbound traffic and limits inbound
traffic in response to sessions that originate inside the router.
Time-based ACLs - Allows for access control based on the time
of day and week.
Lock-and-Key
When you want a specific remote user or group of remote
users to access a host within your network, connecting from
their remote hosts via the Internet. Lock-and-key
authenticates the user and then permits limited access
through your firewall router for a host or subnet for a finite
period.
When you want a subset of hosts on a local network to access
a host on a remote network that is protected by a firewall.
With lock-and-key, you can enable access to the remote host
only for the desired set of local hosts. Lock-and-key requires
the users to authenticate through a AAA, TACACS+ server, or
other security server before it allows their hosts to access the
remote hosts.
 Use of a challenge mechanism to authenticate
individual users.
 Simplified management in large internetworks.
 In many cases, reduction of the amount of router
processing that is required for ACLs.
 Reduction of the opportunity for network break-ins by
network hackers.
 Creation of dynamic user access through a firewall,
without compromising other configured security
restrictions.
Step 1. Create a login name & password for authentication.
Step 2. Configure the ACL to allow the user to open a Telnet
session to the router—can set a time limit.
Step 3. Apply the ACL to the appropriate interface.
Step 4. Configure the vty lines to use login local & enable the
use of the autocommand command which will terminate the
Telnet session & the user can access the network as allowed.
To force the reply traffic from the destination of a known
recent outbound packet to go to the source of that outbound
packet. This adds greater control to what traffic you allow into
your network and increases the capabilities of extended
access lists.
They are not applied directly to an interface but are "nested"
within an extended named IP ACL that is applied to the
interface.
They can be defined only with extended named IP ACLs. They
cannot be defined with numbered or standard named ACLs or
with other protocol ACLs. Reflexive ACLs can be used with
other standard and static extended ACLs.
 Help secure your network against network hackers
and can be included in a firewall defense.
CH.5 ACLs
APRIL 2009

What additional step is required when
configuring Reflexive ACLs?
5.4.4 How are Time-Based ACLs implemented?
What are the benefits of Time-Based ACLs?
What are the steps to configuring Time-Based
ACLs?
How is the time synchronized?
5.4.5 What are some common ACL errors?
CCNA EXP 4
Provide a level of security against spoofing and certain
DoS attacks. Reflexive ACLs are much harder to spoof
because more filter criteria must match before a
packet is permitted through. For example, source and
destination addresses and port numbers, not just ACK
and RST bits, are checked.
 Simple to use and, compared to basic ACLs, provide
greater control over which packets enter your
network.
Creation of a policy to track the interesting traffic.
To implement time-based ACLs, you create a time range that
defines specific times of the day and week. You identify the
time range with a name and then refer to it by a function. The
time restrictions are imposed on the function itself.
 Offers the network administrator more control over
permitting or denying access to resources.
 Allows network administrators to control logging
messages. ACL entries can log traffic at certain times
of the day, but not constantly. Therefore,
administrators can simply deny access without
analyzing the many logs that are generated during
peak hours.
Step 1. Define the time range to implement the ACL and give
it a name.
Step 2. Apply the time range to the ACL.
Step 3. Apply the ACL to the interface.
The time range relies on the router system clock. The feature
works best with Network Time Protocol (NTP)
synchronization, but the router clock can be used.
Incorrect order of list statements
Incorrect transport protocol used
ACL applied to the wrong interface
ACL applied to the interface in the wrong direction-i.e.
Inbound
CH.5 ACLs
APRIL 2009
Related documents
ACLS Cover Page - Florida Heart CPR
ACLS Cover Page - Florida Heart CPR
ASSIGNMENT FEEDBACK
ASSIGNMENT FEEDBACK
ACLS PREP COURSE - emc
ACLS PREP COURSE - emc
About ACL
About ACL
2016 ACLS Class Schedule - Clark Memorial Hospital
2016 ACLS Class Schedule - Clark Memorial Hospital
Click HERE for the brouchure
Click HERE for the brouchure
Dear prospective student, You are receiving this letter because of
Dear prospective student, You are receiving this letter because of
File
File
2015 ACLS Class Schedule - Clark Memorial Hospital
2015 ACLS Class Schedule - Clark Memorial Hospital
Download
advertisement